CVE-2022-23524
Last modified
CVE-2022-23524 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. EPSS estimates a 0.76% chance of exploitation in the next 30 days.
Description
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Helm | Helm | >= 3.0.0, < 3.10.3 |
References
- https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2rThird Party Advisory
- https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2rThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-23524?
How severe is CVE-2022-23524?
How do I fix CVE-2022-23524?
Are you affected by CVE-2022-23524?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST